2 Motivation Numerous malicious probes and wormsEnd-host based solution is not sufficientIt is hard for all end users to apply patches quicklyWorms can contaminate millions of hosts within hoursNetwork based solution – network intrusion detection systems (NIDS)Perform packet scanning for complicated worm patterns in the networkStop worms from reaching end hostsEasy to manage for network administrators

3 Pattern Matching for NIDSThousands of complicated patternsPatterns have variable lengthsPatterns with correlation“abc” followed by “cde” within 3 bytesPatterns with negation“user” not followed by “|0a|” within 50 bytesRequire packet payload scanningNot supported by most current network devices, which support packet header processing only

4 Current Pattern Matching SchemesSoftware based solutionsSpeed is slowFPGA solutionsBuild large DFA or NFA for all patternsBuild a KMP based search engine for each patternBloom FiltersOne bloom filter for each pattern lengthNot scalable when pattern lengths vary dramatically

6 Pattern Matching with TCAMPut all the patterns into the TCAMAssume patterns are less or equal to the TCAM widthIf less than the TCAM width, pad with ‘?’Order the patterns according to lengths in reverse orderWhen matching entry ABC, report matching of both pattern ABC and ABShift one byte each time

7 AnalysisScan speed:4 ns per TCAM lookup, shift one byte at a time8bits/4ns =2 Gbps worst case scan rateLimitation: require all the patterns to be shorter or equal to the TCAM widthSet the TCAM width >= longest pattern’s lengthPad all short patterns to TCAM widthWaste TCAM resourcesCan we set TCAM width smaller and cut long patterns into smaller patterns?work

8 Short partial patterns, many TCAM hitsLong PatternsCut long patterns into smaller patternsTCAM width w=4 bytesDEFGABCDL is split into DEFG, ABCD, and LPad the last partial pattern with the tail of the second last partial patternDEFGABCDL is split into DEFG, ABCD, and BCDLDEFGABCDLDEFGABCDLDEFGDEFGABCDABCDLBCDLShort partial patterns, many TCAM hits

15 PHL Size on Real DataFor each packet, record average and maximum PHL sizeAvg: mean of the average PHL size over all packetsAvgMax: mean of the maximum PHL sizesMax: maximum PHL size over all packetsTCAMWidthMIT DumpBerkeley DumpAvgMax40.0420.270.030.4884.8e-65.6e-41.e-61.9e-57164.3e-75.8e-63

17 Conclusions Multiple pattern matching with TCAMFast speed pattern matching is essential for building effective defenses against virusMultiple pattern matching with TCAMAchieve multi-gigabit rateSearch for thousands, or tens of thousands patterns in parallelSupport long patterns, correlated patterns, and also patterns with negation, wildcardsCan be extended to support higher rates with larger TCAMs